What is Compliance and Risk Management?

June 1,2018

All organizations and businesses face risks of many kinds and varying degrees. A risk, as is commonly understood, is the likeliness of a negative result from an activity. From this definition, there is a risk from almost any business activity, because risk is the probability that a negative consequence, intended or unintended, could arise from a situation or an action. Likewise, businesses also understand and live with the fact that risk is inherent into simply anything that a business carries out, be it small or big. This is what risk management is essentially about.

A risk can be likened to the side effect a drug carries. Every time a drug or any medicine is administered, its intention is to ease the disease or condition. While this is the primary aim of the drug; it comes with the actions that substances cause on the patient, other than treating the condition. Risk is somewhat like this, because it is tied to and is integral to any action concerning business.

The Need for Overcoming Risk

One important question that arises from this definition is this: Why is it necessary to carry out an activity if it comes with a risk? That is, why should risk management be necessary?

The answer to this question can be answered by looking at the example given above, the one concerning side effects from a drug. Why should the medicine, which carries side effects, be administered at all? Well, the patient needs to be cured, right? Any business comes with a risk; so, would an organization stop doing business because of the risks involved?

A business should understand that there is no way a risk can be eliminated from the business; it can only do what can be done to minimize it. Risk assessment is about understanding the risk. Risk elimination is the ideal scenario to have, but it may not always be possible to do so. Risk prevention or risk elimination to the business is desirable and ideal, but it is not the most realistic of possibilities. Risk minimization, meaning limiting the damage caused by risk, is something that businesses should look forward to. Risk management covers all these aspects.

The risks that are faced by a business are unique to it. If one were to talk about say, a financial company; the set of risks it is exposed to is unique to this line of business. In addition, the company itself could have its own set of risks which are related to, but separate from the risks that any organization in this business is likely to face.

In the same way, a company that is in the business of manufacturing has its own set of risks and limitations. It must consider all the risks it faces in designing its risk management strategy, right from procuring the raw material for its products to managing the manufacturing process to managing the labor. In the course of all these, there is always the strong possibility that some risks could be present in the business. What if there is a labor problem? How does the manufacturing company manage it? What if there is some disruption in the procurement and supply of raw materials? What will happen if the government brings in a law that adversely affects the manufacturing industry?

What is Compliance Risk?

Of late, a whole new dimension has been added to risk. It is the risk relating to compliance. Risk compliance is a new challenge for all regulated businesses. Compliance with the guidelines set out by the regulatory agencies has become an imperative for businesses of late. Regulatory guidelines have come into force in almost all industries of late. Being in compliance with the regulatory guidelines suggested by the regulatory agencies is not something on which any business can afford to relax. Compliance risk management is about this aspect of risk management.

Compliance risk can be defined in simple terms as the risk that arises from lack of compliance with the regulatory guidelines set out by the regulatory agencies. This is a new kind of risk for businesses, and has gained so much importance lately that it is not uncommon to see companies appointing personnel that go by the designation of “Compliance Manager”.

What is Compliance, and How is Risk Related to it?

Regulatory agencies around the world have become a lot more proactive and diligent in suggesting and enforcing regulatory guidelines for products and services. The need for creating and implementing strict regulatory guidelines has come about because of developments in many areas such as pharmaceuticals, financial services and banking, not to mention about other areas like healthcare and IT. Why has this been so? Compliance risk management has grown because risk management requirements have not only gained prominence, but have grown on to become critical for organizations because of a few important reasons:

• Regulatory guidelines are created for each industry keeping the unique needs and dynamics of the industry
• Compliance with the regulatory guidelines is the highest guarantee of adaption of best practices and quality standards by the organization
• The regulatory guidelines set out by the regulatory bodies have to be complied with, failing which the business faces penal actions, which could throw the business backwards

How does an organization overcome compliance risk?

Compliance risk is the risk arising out of noncompliance with the regulatory guidelines and requirements. Compliance risk management is crucial, because noncompliance is one of the worst mistakes an organization can do, because, as we have seen; noncompliance with the regulatory guidelines could result in hefty fines and other penalties. To overcome compliance risk; the organization could do the following:

• It must develop a thorough understanding of the regulatory compliance requirements set out for its business. a good example is the JP Morgan case, which has now committed to spending nearly $4 billion on risk compliance programs following revelations of risk compliance gaps flowing from poor understanding of the compliance risk requirements
• It must show diligence at every level of compliance, because in the case of high specialization activities such as clinical research or development of medical devices; noncompliance at any stage sets back the work done till then by negating all this and requiring companies to start afresh, something that no company would like to do, given the enormous loss of time and money and other resources into the work
• Of late, many organizations have specialized in what is called compliance software. These software applications are part of a governance, risk and compliance (GRC) package, and ensure that there is automation of compliance processes
• Many companies appoint a compliance department, which is a specialized branch that deals purely with compliance, as a means of reducing risk compliance. This department is usually a fully specialized one with its own set of functions and tasks that works like other departments, just like Finance and human resources
• The ultimate guarantee of ensuring compliance risk elimination is to be vigilant all the time. Following allegations of failure to comply with guidelines for risk; JP Morgan has embarked on plans to recruit or pull in more than 3,000 people to be put in charge of compliance. All these point to the imperative for putting a compliance risk management strategy in place